Skip to content

feat: pessimistic Velo single oracle — v1 review + v2 review fixes#155

Closed
piesrtasty wants to merge 2 commits into
devfrom
feat/update-pessimistic-velo-single-oracle-squashed
Closed

feat: pessimistic Velo single oracle — v1 review + v2 review fixes#155
piesrtasty wants to merge 2 commits into
devfrom
feat/update-pessimistic-velo-single-oracle-squashed

Conversation

@piesrtasty

@piesrtasty piesrtasty commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Squashes the whole pessimistic Velo LP single-oracle work into one commit on top of dev. It's everything that isn't
on dev yet — the v1 review (#152 and the follow-ups) plus the v2 fixes from the review.

Heads up: the v1 review branch was never merged to dev, so this PR carries it along too.

Already in from v1:

v2 review fixes:

  • H-04 / L-17 – relayer prices off min(cached, live) price-per-share and fails closed if the vault read reverts; a
    no-op update doesn't reset the repricing timer anymore
  • M-13 / M-16 – the single-feed price cap uses TWAP-averaged reserves instead of spot, and I extended it to stable
    pools too. Stops someone moving the cap in a single block, and covers the case where the unfed token (e.g. LUSD)
    depegs but its TWAP price is still lagging
  • M-14 – dual-feed stable pools re-check the peg band on the read path, so a live depeg invalidates the cached low
    right away instead of serving it until it ages out
  • L-12 / L-16 / L-20 / L-22 – reworked the single-feed daily-low clamp to be fail-soft. Floor is anchored to the
    prior day's low, can't ratchet down within a day, decays sanely after a missed day, and a real crash no longer
    freezes the oracle — it steps the low down and stays live
  • L-13 / L-19 – geomean no longer returns zero for valid reserves; the TWAP-derived price rounds once at the end
    instead of per-sample
  • L-18 – the TWAP window now has to be fully past the last sequencer recovery
  • L-15 – OracleJob actually propagates an invalidation through to the SAFE engine now, without letting keepers farm
    rewards on no-ops

Didn't touch: H-05, M-04, M-06, M-12, L-02, L-10, L-11, L-14, L-21, L-23 — either already fixed, accepted, or didn't
hold up on a closer look. Reasoning is in the review doc.

One thing to be aware of: a few of these (M-14, L-18, L-15) make the oracle fail closed faster. That's intended, but
it does mean a sustained stable depeg can halt that collateral until it recovers or we swap the oracle out. Flagging
so it's not a surprise.

Testing: unit tests for each fix plus a handful of integration ones — a real DelayedOracle front-run for H-04, the
two-cycle invalidation for L-15, the recovery boundary for L-18, and a multi-day crash to show the clamp converges. I
checked the two integration tests actually fail if you revert the fix. Oracle + jobs suites are green; the leftover
failures in the full unit run are pre-existing fuzz/testFail noise unrelated to the oracle (they're on the base too).

Squash of the full pessimistic Velodrome LP single-oracle line that is not yet on
dev: the v1 internal review (PR #152 and follow-ups) and the v2 Zerocool audit
remediations.

v1 review base (commits 23f2dc4..8f948fd):
- single-feed TWAP pricing excludes quote slippage
- integer-overflow handling for deep-liquidity stable pools
- pessimistic LP oracle review (#152)
- zero share prices invalidate the cached vault price

v2 Zerocool audit fixes:
- H-04 / L-17: vault relayer prices off min(cached, live) pricePerFullShare and fails
  closed on a reverting vault read; equal-value no-op updates no longer reset the timer
- M-13 / M-16: the single-feed LP price cap uses TWAP-averaged reserves and now also
  applies to the stable branch — resisting single-block reserve manipulation and
  unfed-token (e.g. LUSD) depeg-lag overvaluation
- M-14: dual-feed stable pools re-validate the peg band on the pessimistic read path,
  so a live depeg invalidates the cached low immediately
- L-12 / L-16 / L-20 / L-22: fail-soft single-feed daily-low clamp anchored to the
  prior-day low — no intra-day ratchet, bounded decay after a keeper gap, and no
  oracle freeze on a legitimate sharp drop (steps down and stays live)
- L-13 / L-19: overflow-gated exact geometric mean (no false zero); single-rounding
  TWAP-derived price (no per-sample flooring to zero)
- L-18: TWAP window gated on post-sequencer-recovery observations
- L-15: OracleJob propagates delayed-oracle invalidation to the SAFE engine without
  enabling keeper reward farming

Findings reviewed and intentionally left without a code change (acknowledged /
already-fixed / invalid): H-05, M-04, M-06, M-12, L-02, L-10, L-11, L-14, L-21, L-23.

Every fix carries unit tests plus end-to-end / boundary regression tests, and was
independently re-verified against its finding.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@piesrtasty piesrtasty changed the title feat: pessimistic Velo single oracle — v1 review + v2 audit fixes feat: pessimistic Velo single oracle — v1 review + v2 review fixes Jun 12, 2026
@piesrtasty

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3303c7e0c5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/contracts/oracles/PessimisticVeloSingleOracle.sol Outdated
@piesrtasty

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Bravo.

Reviewed commit: 659c73fbf6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@piesrtasty piesrtasty closed this Jun 19, 2026
@piesrtasty piesrtasty deleted the feat/update-pessimistic-velo-single-oracle-squashed branch June 19, 2026 02:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant